TFlower Ransomware is being installed in a corporate network through exposed Remote Desktop services that are being hacked by attackers. It get it name because of the string "*tflower" pre-pended to encrypted files.
Once the attackers gain access to the machine, they will infect the local machine or may attempt to traverse the network through tools such as PowerShell Empire, PSExec, etc. When executed, the ransomware will display a console that shows the activity being performed by the ransomware while it is encrypting a computer.
TFlower Ransomware Signatures
TFlower Ransomware Download